diff options
| author | Thomas Kriechbaumer <Kriechi@users.noreply.github.com> | 2018-05-06 12:24:24 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-05-06 12:24:24 +0200 |
| commit | 44d788ff96187a353af908bba64f3b5cb75d6233 (patch) | |
| tree | 4f5ac2437c4242580e1a385beb29bde9702f59d8 /docs | |
| parent | eecb576aff0fb5c4d66e637ce09fd26e94590a8f (diff) | |
| parent | 9ee96f022764c71a4a776956037230d6ef4fee7e (diff) | |
| download | mitmproxy-44d788ff96187a353af908bba64f3b5cb75d6233.tar.gz mitmproxy-44d788ff96187a353af908bba64f3b5cb75d6233.tar.bz2 mitmproxy-44d788ff96187a353af908bba64f3b5cb75d6233.zip | |
Merge pull request #2986 from miheerdew/patch-1
Workaround for MacOS transparent proxy
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/src/content/howto-transparent.md | 38 |
1 files changed, 36 insertions, 2 deletions
diff --git a/docs/src/content/howto-transparent.md b/docs/src/content/howto-transparent.md index ee5b9f57..07a21ec9 100644 --- a/docs/src/content/howto-transparent.md +++ b/docs/src/content/howto-transparent.md @@ -221,13 +221,47 @@ Note that the **rdr** rules in the pf.conf given above only apply to inbound traffic. **This means that they will NOT redirect traffic coming from the box running pf itself.** We can't distinguish between an outbound connection from a non-mitmproxy app, and an outbound connection -from mitmproxy itself - if you want to intercept your OSX traffic, you -should use an external host to run mitmproxy. Nonetheless, pf is +from mitmproxy itself. If you want to intercept your own macOS traffic, see the work-around below or use an external host to run mitmproxy. In fact, PF is flexible to cater for a range of creative possibilities, like intercepting traffic emanating from VMs. See the **pf.conf** man page for more. {{% /note %}} +### Work-around to redirect traffic originating from the machine itself + +Follow the steps **1, 2** as above. In step **3** change the contents of the file **pf.conf** to + +{{< highlight none >}} +#The ports to redirect to proxy +redir_ports = "{http, https}" + +#The address the transparent proxy is listening on +tproxy = "127.0.0.1 port 8080" + +#The user the transparent proxy is running as +tproxy_user = "nobody" + +#The users whose connection must be redirected. +# +#This cannot involve the user which runs the +#transparent proxy as that would cause an infinite loop. +# +#Here we redirect for all users which don't run transparent proxy. +redir_users = "{ !=" $tproxy_user "}" + +#If you only wish to redirect traffic for particular users +#you may also do: +#redir_users = "{= john, = jane}" + +rdr pass proto tcp from any to any port $redir_ports -> $tproxy +pass out route-to (lo0 127.0.0.1) proto tcp from any to any port $redir_ports user $redir_users +{{< / highlight >}} + +Follow steps **4-6** above. This will redirect the packets from all users other than `nobody` on the machine to mitmproxy. To avoid circularity, run mitmproxy as the user `nobody`. Hence step **7** should look like: + +{{< highlight bash >}} +sudo -u nobody mitmproxy --mode transparent --showhost +{{< / highlight >}} ## "Full" transparent mode on Linux |